fc-glyphname/fc-glyphname.c | 2 +- fc-lang/fc-lang.c | 2 +- src/fcname.c | 2 ++ src/fcstr.c | 8 ++++++-- 4 files changed, 10 insertions(+), 4 deletions(-) New commits: commit 0b7f42f777a14ee61783fd95dd04e870f02d201e Author: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx> Date: Sat Nov 2 10:23:57 2013 -0700 Avoid null pointer dereference in FcNameParse if malloc fails Reported by parfait 1.3: Error: Null pointer dereference (CWE 476) Read from null pointer t at line 423 of src/fcname.c in function 'FcNameParse'. Function _FcObjectLookupOtherTypeByName may return constant 'NULL' at line 63, called at line 122 of src/fcobjs.c in function 'FcObjectLookupOtherTypeByName'. Function FcObjectLookupOtherTypeByName may return constant 'NULL' at line 122, called at line 67 of src/fcname.c in function 'FcNameGetObjectType'. Function FcNameGetObjectType may return constant 'NULL' at line 67, called at line 422 in function 'FcNameParse'. Null pointer introduced at line 63 of src/fcobjs.c in function '_FcObjectLookupOtherTypeByName'. Signed-off-by: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx> diff --git a/src/fcname.c b/src/fcname.c index 712b2fa..f302948 100644 --- a/src/fcname.c +++ b/src/fcname.c @@ -420,6 +420,8 @@ FcNameParse (const FcChar8 *name) if ((c = FcNameGetConstant (save))) { t = FcNameGetObjectType ((char *) c->object); + if (t == NULL) + goto bail2; switch ((int) t->type) { case FcTypeInteger: case FcTypeDouble: commit 5b8380d52eae55cba0adcc47d78a53c320d294ec Author: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx> Date: Sat Nov 2 10:23:56 2013 -0700 Avoid memory leak when NULL path passed to FcStrBuildFilename Reported by parfait 1.3: Memory leak of pointer sset allocated with FcStrSetCreate() at line 933 of src/fcstr.c in function 'FcStrBuildFilename'. sset allocated at line 927 with FcStrSetCreate(). sset leaks when sset != NULL at line 932. Signed-off-by: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx> diff --git a/src/fcstr.c b/src/fcstr.c index 5707172..024dae3 100644 --- a/src/fcstr.c +++ b/src/fcstr.c @@ -924,12 +924,16 @@ FcStrBuildFilename (const FcChar8 *path, ...) { va_list ap; - FcStrSet *sset = FcStrSetCreate (); + FcStrSet *sset; FcStrList *list; FcChar8 *s, *ret = NULL, *p; size_t len = 0; - if (!sset || !path) + if (!path) + return NULL; + + sset = FcStrSetCreate (); + if (!sset) return NULL; if (!FcStrSetAdd (sset, path)) commit cb72901d0b7dff73ea2596491c5db602e4750853 Author: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx> Date: Sat Nov 2 10:23:55 2013 -0700 Leave room for null terminators in arrays Code currently returns a fatal error if it tries to add more entries than the array has room for, but it wasn't checking to make sure the final null terminator entry would fit. Reported by parfait 1.3: Error: Buffer overrun Buffer overflow (CWE 120): In array dereference of files[i] with index i Array size is 256 elements (of 4 bytes each), index >= 0 and index <= 256 at line 250 of fc-glyphname/fc-glyphname.c in function 'main'. Error: Buffer overrun Buffer overflow (CWE 120): In array dereference of entries[i] with index i Array size is 1024 elements (of 8 bytes each), index >= 0 and index <= 1024 at line 298 of fc-lang/fc-lang.c in function 'main'. Signed-off-by: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx> diff --git a/fc-glyphname/fc-glyphname.c b/fc-glyphname/fc-glyphname.c index 8402781..078490a 100644 --- a/fc-glyphname/fc-glyphname.c +++ b/fc-glyphname/fc-glyphname.c @@ -233,7 +233,7 @@ dump (FcGlyphName * const *table, const char *name) int main (int argc FC_UNUSED, char **argv) { - char *files[MAX_GLYPHFILE]; + char *files[MAX_GLYPHFILE + 1]; char line[1024]; FILE *f; int i; diff --git a/fc-lang/fc-lang.c b/fc-lang/fc-lang.c index 0f4217f..38fc697 100644 --- a/fc-lang/fc-lang.c +++ b/fc-lang/fc-lang.c @@ -254,7 +254,7 @@ static int compare (const void *a, const void *b) int main (int argc FC_UNUSED, char **argv) { - static Entry entries[MAX_LANG]; + static Entry entries[MAX_LANG + 1]; static FcCharSet *sets[MAX_LANG]; static int duplicate[MAX_LANG]; static int country[MAX_LANG]; _______________________________________________ Fontconfig mailing list Fontconfig@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/fontconfig